I’ve been maintaining my own web server for this WordPress blog for several years now, dating back to 2005 when I first starting using CentOS 4 to run my website. Those were the days I switched from authoring websites with Dreamweaver and FTP, to using WordPress and ditching those antiquated tools alltogether. Talking of antiquated, I’ve been working with Unix since 1992 and was a Linux sysadmin for an ISP for several years after that. I’ve also been learning along the way with each release of CentOS/RHEL, and I have taken much more notice of security hardening including the use of SELinux.

As an experiment, I posted a tweet last night merely mentioning SELinux which resulted in some predictable responses including:

I really don’t blame them for disliking SELinux, it seems that is a majority opinion. But I hope to change that! If I can get it working and playing nicely with my WordPress site then so can you. The reason I use SELinux isn’t to make my life any more difficult (though that could be true at times!), but it helps me better understand the inner-workings of CentOS 7 better, while providing significant levels of security.

Following the theme for ELS (Essential Linux Skills) with CentOS 7 (see part 1), today I want to share what I consider to the the most important topic of the lot. Firewalls. Securing your Linux host is, in my opinion, the first thing you should be doing before hosting any web services. In my last post, you learned all about systemd and hopefully are now comfortable with the switch from SysV init.

If you are responsible for building Linux hosts for web applications then this will be an especially important topic for you. The same applies if you want to master security with Linux. This might get a little technical, but hang in there.

RHEL (RedHat Enterprise Linux) and CentOS 7 introduces firewalld which is now installed by default instead of iptables. Another newcomer, but not yet loaded by default with CentOS 7 is nftables. What’s the difference? Well firewalld is new to the user-space, but it doesn’t replace iptables. Nftables will eventually replace iptables.

Confused? I don’t blame you, so let me explain the iptables architecture. It’s important to understand how iptables works in order to understand the changes that firewalld and what nftables brings to the table (pun intended).

With the recent release of VMware Horizon 6.1.1 (June 2015) come many new features and changes. For 3 years now I’ve been maintaining a diagram detailing all of the network ports used by VMware Horizon (formerly View), and I am pleased to share the third version for the latest release. Many new components are present such as Blast on Linux virtual desktops, the new JMS enhanced security mode (JMS SSL), App Volumes and RDS hosts just to name a few.

I’ve also taken the opportunity to separate tunneled (E.g. PCoIP Secure Gateway or Blast Gateway) connections at the top of the diagram and direct connections at the bottom.

The diagram is an A0 PDF (118.88cm x 84.1cm) which is simply huge! Feel free to print this out and use it as a wall poster :)

As tempting as it is, I have no intention of jumping on the ‘Shellshock’ band wagon and writing a vague post on the subject. However, I do find this recent bash exploit interesting and worthy of investigation as it’s simple to test and has a plethora of vectors that could be exploited. I’ve read many media reports on this and unfortunately some of their layman’s terms are inaccurate or do not provide the full picture. The purpose of this blog post is for my own reference and anybody that needs starting point of where to look. For an in-depth look at this then I would recommend you read Troy Hunt’s article. For a quick technical reference then feel free to read on… [Read more…] about Shellshock Vulnerability and Potential Exploitation (not another blog post on CVE-2014-6271 / CVE-2014-7169)